7 CISO succession planning best practices
Nothing is certain except death, taxes and CISO turnover. Learn how to prepare for the inevitable and future-proof your security program with a succession plan.
With the frequency and severity of security incidents continuing to escalate across all areas of business, the need for a great chief information security officer is universal among enterprises. But the enormous pressure of this role, combined with overwhelming demand for qualified candidates, creates a high probability a CISO will either burn out or leave for a more lucrative opportunity at another organization sooner rather than later. With this in mind, it is essential companies plan for their existing CISOs' inevitable departures.
The good news is proactive CISO succession planning has many possible benefits, including the following:
- Cost savings. Planning ahead and proactively identifying succession candidates can help save money in recruitment costs, which are typically around 25% of a given position's annual salary.
- Continuity. Grooming and promoting an existing employee, such as a business information security officer or deputy CISO, to the top security role eliminates the burden of training a new hire on the environment.
- Company stability. Lastly, and most importantly, having a plan in place when a CISO departs dramatically increases company stability.
7 best practices for CISO succession planning
Failing to plan is planning to fail. That means all CISOs, in every type of organization and environment, should help strategically prepare employers for their eventual departures and replacements.
As a CISO, neglecting succession planning and treating oneself as indispensable may seem like a recipe for job security, but it's a recipe for professional stagnation, at best. Given the stress implicit in the position, the top cybersecurity role typically has a shelf life. From early in their tenures, smart CISOs, therefore, have ideas of the following:
- roughly how long they plan to stay;
- goals for the next chapters of their careers and how to achieve them;
- who might succeed them;
- how and when those transitions would ideally unfold.
CEOs, board members and other executive stakeholders should also ensure measures are in place to create a relatively smooth CISO succession, if and when one becomes necessary. Consider these seven best practices.
1. Start CISO succession planning early
Ideally, CISOs should initiate succession planning within the first six months of acquiring a new role, beginning with a review of any succession plan the previous CISO established. Next, they should review any succession plans that exist for other executive roles to help identify organization-specific items the security program's plan should include.
2. Anticipate future security requirements
Security, like technology, is constantly evolving. CISO succession planning requires anticipating what the security environment will look like in the future and preparing accordingly. While no one can predict exactly what will occur tomorrow, it is possible to make an informed assessment of what security issues are likely to arise or linger based on the following:
- how a particular business is evolving; and
- how technology is evolving.
For example, since the COVID-19 pandemic started, enterprises have seen an increase in remote work, SaaS and cloud computing. CISOs should, therefore, ask themselves the following:
- What security implications do these changes have?
- What policies, technologies and skills could help us meet related security needs?
After forecasting future security requirements, develop a training program to ensure staff members have the skills necessary to rise to tomorrow's challenges.
3. Train future leaders
Assess strengths and weaknesses of existing senior security talent, as well as their personalities, professional experiences and career goals, within the context of the anticipated security landscape and enterprise needs. Consider who would best handle an initial crisis, for example, and who might effectively provide long-term stability. Incorporate leadership and management training that will position these future leaders to confidently assume new responsibilities as necessary.
These up-and-coming security leaders likely have their own thoughts about emerging trends and threats, so actively include them in future-proofing discussions. Incorporate their ideas into training and planning to give them a sense of ownership in the process, which increases the likelihood of succession success.
4. Involve the board
Because the top cybersecurity job is of increasing strategic importance to most companies, boards should require the development and maintenance of CISO succession plans. They should also review and approve those plans to ensure they do the following:
- align with broad business requirements; and
- consider both planned and unplanned CISO departures.
5. Prepare for planned CISO departures
Planned departures include retirements and lateral, internal moves, such as from CISO to chief risk officer. In certain cases, CISOs may also have understandings with their employers that they will leave to pursue external opportunities once they have met specific high-level goals. Some security leaders, for example, specialize in guiding organizations through data breach recovery and then move on once they have succeeded.
With significant notice -- at least three months -- companies may have the luxury of onboarding a new CISO before the outgoing one has left. This could mean promoting a current employee or bringing in an outside hire. With enough notice, an incoming CISO can shadow the outgoing CISO to learn about existing staff, policies and processes, resulting in minimal operational and cultural disruptions.
6. Prepare for unplanned CISO departures
Unfortunately, CISO departures can also happen with little warning. Illness, death, sudden terminations and resignations, personal crises, imprisonment and major security events can all send an organization into upheaval at a moment's notice.
To prepare for such unforeseen events, ensure every security role has documentation describing its key responsibilities and tasks. HR should maintain these files, and the CISO should review them annually in case replacement personnel need to refer to them as training guides.
Security staff members will ideally also have cross-training in other roles, which is especially important for backing up single-person positions. If a senior security architect must suddenly become acting CISO, for example, other colleagues may need to shoulder some of the architect's typical workload.
Consider making a backup plan in case a sudden CISO departure requires in-house staff to pinch-hit, leaving them unavailable to handle their usual responsibilities. This might mean outsourcing some security tasks to third-party providers or identifying staffing companies with expertise in sourcing temporary or permanent talent with key skills.
7. Regularly review CISO succession plans
CISOs, CEOs, boards and other relevant executive stakeholders should revisit succession plans at least annually. The following are among the major changes within an enterprise that should trigger a review:
- shifting economic conditions;
- mergers and acquisitions;
- significant security incidents;
- turnover among deputy security leadership; and
- security staff performance concerns.
One thing is certain: Change will happen. Organizations that take active measures to shape the future, rather than just reacting to it, will be in a better position to succeed. CISO succession planning can help companies make sure they are prepared for the inevitable, when it occurs.